Silhouetted person walks behind a glass window that has computer code inscribed on it
Photograph: KIRILL KUDRYAVTSEV/Getty Images

A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks

Kaspersky researchers have uncovered clues that further illuminate the hackers’ activities, which appear to have begun far earlier than originally believed.

Russian security firm Kaspersky today released new research that adds another piece to the puzzle of a hacker group whose operations appear to stretch back further than researchers previously realized.

Research published last week from the security firm Malwarebytes shed new light on a hacking group, Red Stinger, that has been carrying out espionage operations against both pro-Ukraine victims in central Ukraine and pro-Russia victims in eastern Ukraine. The findings were intriguing because of the ideological mix of the targets and the lack of connections to other known hacking groups. A few weeks before Malwarebytes released its report, Kaspersky had also published research about the group, which it calls Bad Magic, and similarly concluded that the malware used in the attacks didn't have connections to any other known hacking tools. The research Kaspersky released today finally links the group to past activity and provides some preliminary context for understanding the attackers' possible motivations.

Adding the Malwarebytes research to what they had found independently, Kaspersky researchers reviewed historic telemetry data to look for connections. Eventually, they discovered that some of the cloud infrastructure and malware the group was using had similarities to espionage campaigns in Ukraine that the security company ESET identified in 2016, as well as campaigns the firm CyberX discovered in 2017.

“Malwarebytes found out more about the initial infection stage, and then they found more about the installer” used in some of the group's attacks since 2020, says Georgy Kucherin, a Kaspersky malware researcher. “After publishing our report about the malware, we decided to view historical data about similar campaigns that have similar targets and that have occurred in the past. That’s how we discovered the two similar campaigns from ESET and CyberX, and we concluded with medium to high confidence that the campaigns are tied together and they are all likely to be executed by the same actor.”

The different activity through time has similar victimology, meaning the group focused on the same types of targets, including both officials working for pro-Russia factions within Ukraine and Ukrainian government officials, politicians, and institutions. Kucherin also notes that he and his colleagues found similarities and multiple overlaps in the code of the plugins used by the group's malware. Some code even appeared to be copied and pasted from one campaign to the next. And the researchers saw similar use of cloud storage and characteristic file formats on the files the group exported to their servers.

The Malwarebytes research published last week documented five campaigns since 2020 by the hacking group, including one that targeted a member of Ukraine's military who works on Ukrainian critical infrastructure. Another campaign targeted pro-Russia election officials in eastern Ukraine, an adviser to Russia's Central Election Commission, and one who works on transportation in the region. 

Back in 2016, ESET wrote of the activity it called “Operation Groundbait”: “The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics. While the attackers seem to be more interested in separatists and the self-declared governments in eastern Ukrainian war zones, there have also been a large number of other targets, including, among others, Ukrainian government officials, politicians, and journalists.”

Meanwhile, Malwarebytes had found that one particularly invasive tactic the group used in a more recent campaign was to record audio directly from the microphones of victims' compromised devices in addition to collecting other data like documents and screenshots. In 2017, CyberX named the campaign it was tracking “Operation BugDrop” because the espionage campaign targeting numerous Ukrainian victims “eavesdrops on sensitive conversations by remotely controlling PC microphones—in order to surreptitiously ‘bug’ its targets.”

In its work last week, Malwarebytes could not come to a conclusion about the actors behind the group and whether they are aligned with Russian or Ukrainian interests. In 2016, ESET found evidence that Operation Groundbait's malware had been in use all the way back to 2008 and attributed the activity to Ukraine.

“Our research into these attack campaigns and the [Groundbait] malware itself suggests that this threat is the first publicly known Ukrainian malware that is being used in targeted attacks,” ESET wrote in 2016.

Kaspersky cites this conclusion in its new research but notes that the firm does not engage in state attribution and did not investigate or verify ESET's findings.

Kucherin says that the group has been able to remain largely hidden for so long because their attacks are typically highly targeted, focusing on at most dozens of individuals at a time rather than launching mass exploitation. The group also rewrites its malware implants, which makes them difficult to connect until you have the full picture of multiple attack chains. And he adds that Ukraine has been such an intense digital battleground for so many years that other actors and activities seem to have distracted researchers.

“The most interesting thing, even shocking perhaps, is that the group has been acting for 15 years. That is a lot, and it's quite rare when you are able to attribute one campaign to another campaign that happened years and years ago,” Kucherin says. “We’ll see more activity from them in the future. In my opinion, it is unlikely that they will stop what they’re doing. They are very, very persistent.”